We recently deployed a 2 tier internal PKI based on 2008 r2. Currently we have deployed Domain Authentication templates and computer certificates, and are in the process of testing some User deployment scenarios. My organization uses our employee number ie. 12345 as our samAccountname, and CN. This produces an issue with user templates based off these fields when digitially signing PDF documents and such, as it's the employee number that shows and not the name. Is there a way to modify it to use the display name. If it's not possible with the standard certificate template interface can I do it using Certificate Lifecycle Manager? And if so is that a real pain? Any other thoughts on how to solve this issue so users can digitally sign documents and it will show their name and not the employee number based on CN, SamAccount. Thanks.

You can definitely do this by deploying FIM 2010 CM. There are two plug-in policy modules that will assist you: 1) THe Subject plug-in policy module allows you to define a variable string for subject name construction. For example, you could define a subject as CN={User!givenName} {User!sn},OU=Employees,O=Example Corporation,C=US Note that this is combination of variables from AD and static text. As long as there is an attribute in AD (direct such as displayName) or built (using first and last name as shown above), you can use this. In this case, the actual certificate template is set with the Subject Name as None, and the policy module plug-in injects the name into the Subject name before the certificate is issued. 2) The Subject Alternative Name (SAN) plug-in policy module allows you to define a variable string for SAN construction. For example, you could define a subject as CN={User!givenName} {User!sn},OU=Employees,O=Example Corporation,C=US . You can also define more than one SAN name for inclusion, and even configure the policy module to not include a SAN name format if the AD attribute is not populated HTH, Brian

Perfect, thanks for the quick response. I will look into FIM 2010

Brian K, So we looked into FIM and based on the cost of like ~$20,000 just for server license and ~22 for the CAL per user, I dont think we are going to be able to swing that cost. So my question is can we modify the Subject Name or use something like FIM 2010 CM without buying FIM. We just need to change a user template for digital signatures. All recommendations appreciated. Thanks,